(4) Do not run any perl or other executable code on production system as root. Always test downloaded stuff locally and use md5 checksum for verification purpose.

(5) Take advantage of SELinux (Security-enhanced Linux) which enables mandatory access control mechanism. It is also recommended that you install anti-virus/anti-spam program on all mail server such as clamav (or you can purchase 3rd party AV/Anti Spam solution).

(9) Remove all compilers and network scanning tools such as nmap from servers. Why make the attacker’s job easier?

Remember you can make attackers life hard but you cannot make anything 100% secure. Continues monitoring and tight security policy will keep running the service for long time without any sort of intrusion 🙂

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Your support makes a big difference:

I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft takes a lot of my time and hard work to produce. If everyone who reads nixCraft, who likes it, helps fund it, my future would be more secure. You can donate as little as $1 to support nixCraft:

Exactly… WHY is SSH stuff included in a desktop-oriented distribution?? Even so, don’t enable it by default, please! It doesn’t matter if you can’t login as root remotely. How many desktop users SSH into their own machines? I’ll admit I do it on occasion, but only to pull music, and very rarely. If I need it, I’ll start it before I go.

If you are running web server other services in chrooted jail you can safely run gcc and other compilers. I know one admin, once his server is up he will backup and removes gcc, rpm and up2date commands… I don’t like his solution at all. It is better to remove gcc, IMPO

Rule #3 is nonsense, IMO. Why should disabling root logins make the machine more secure? Just set “PermitRootLogin without-passwort”, make sure it works and be happy. I often use scp to copy data between servers, and I’d become rather unhappy if I couldn’t do this because I use non-privileged accounts that may do su or sudo, but not access the required files directly.

Disabling root logins but enabling password auth is much unsafer. An attacker could bruteforce-crack your password and then would just put a su alias into your bashrc, and the next moment you’re using it you’ll be mailing him the root passwort without even noticing.

Why remove GCC and nmap? [btw: I wouldn’t dare removing gcc on my gentoo server :>] If the attacker is on your server, maybe even as root, then nmap won’t really make it worse. If he’s root and needs it, he will simply install it; if he’s a non-privileged user, he could try e.g. wget/GET to download a suitable executable. And things that you can do in C/C++ (->gcc) are much easier to do in script languages like shell script, Perl, PHP, Python. As especially Perl will be installed on many servers, removing GCC seems rather pointless to me.

Better chroot as much server software as possible and give each chroot really only the tools needed. If an attacker gains control of one of the server softwares, he will be locked into the chroot (unless the server software is running as root) and there he will most probably not even find simple tools like mail, cp or mv.